[arin-ppml] BGP Hijacking Definition

Michel Py michel at arneill-py.sacramento.ca.us
Mon May 6 16:52:19 EDT 2019

[multiple posts consolidated]

Hi Keith,

> Keith W. Hare wrote :
> Let’s look at the simple network example:
> A<-->G1<->G2<-->B

In none of your 7 models I see a sign of hijacking. There is no doubt about who has been allocated the IP resource, neither A or B are using resources that have not been allocated to them.

> 5. Router that records all packets for security audits

Inside a private organization, this is legal and quite common. 

> 6.  Router that records all packets and sends them to a competing organization/nation

This is called interception. There is lawful and unlawful interception. The lawful part greatly varies depending on who and where you are, and that is a debate for lawyers.

> 7.  Router that adds delays for all packets for a particular 

This one is called net neutrality, and it is legal or is about to become legal given the latest FCC rulings.
Example : Comcast and Verizon degrade /cap Netflix for their residential customers because they want Netflix to give them money, or because they want to make their own paying service look better.
This is clearly an FCC thing, it's very political (the Obama administration was quite vocal about it); I think it is well scoped and that it's something that ARIN does not want to touch with a 10 ft pole. 

> One problem I see with coming to a clear definition of BGP or Route hijacking is that techniques used
> for network security are not hugely different from the techniques used for malicious activities.

I think there are different though. Technically, interception and traffic shaping are much more complicated than BGP hijacking.

>> Ronald F. Guilmette writes:
>> If people want to use -internally- as private RFC1918 address
>> space, who's preventing them from doing so?  As long as there are no route
>> leaks for any of this to the outside world, I don't see the issue/problem.

> Dave Lawrence wrote :
> A very good, brief summary:
> http://packetlife.net/blog/2010/oct/14/ipv4-exhaustion-what-about-class-e-addresses/
> Basically it has been suggested before but ended up torpedoed by the
> reality of huge chunks of the existing deployed base blocking it hard.

In part. I would point out though that if this had been done 15 years ago, the existing base would have changed enough to make it usable now. These are things that you need to start very early. This squatting of DoD space to extend RFC1918 is a disgrace that could have been avoided.

> Ronald F. Guilmette writes: Sounds like a software problem. If your software
> doesn't do what you want it to do, that's hardly ARIN's responsibility.

ARIN has nothing to do with it, it was an example of policy producing the opposite result as the intent.

> Larry Ash wrote :
> Does ARIN or any of the other RIR's really want to get into these kind
> of network engineering and operations debates?

For the record, I have said that I agreed that prop-266 was out of scope. But some people have asked pertinent questions and clarifications.

> I would argue that if a host and the server that provides service to that host
> are within the same ASN then the network and it's traffic is private.

I have to disagree with that. Let me give you an example : I am at home, and I am accessing the web site of my city for whatever reason.
The traffic stays between the same ASN because we happen to have the same ISP, but this is not private traffic. The boundary between private and public is at the interface between the ISP and the customer / subscriber. For me, the Internet starts between my router and the aDSL modem of my ISP.

> There are systems and services that are so sensitive or compromise so costly that it is imperative
> that no contact from  outside the local ASN be allowed. It becomes a form of Russian roulette to put
> a world routable address on them. So we have had to come up with an alternative. Many have resorted
> to in the voice community since the attacks on voice resources are so heavy and persistent
> that a ddos can result from trying to use packet filters to protect some systems.

Please note that I am not judging. I wrote recently that this prop-266 would scare the wrong people, those who do unsavory things because they don't have an alternative. Some think you should roast in the flames of hell for eternity, not me.

Do you (or the organizations you help) sell voice services to the public that are hosted on these systems that have a 30/8 address ?

> Michel's definition also has grey areas when it comes to ip-ip tunnels. If tunnel
> traffic has what we all would call public traffic is the tunnel itself public?

A tough one.
If it's your own VPN tunnel, it's private. If an ISP sells you an MPLS tunnel, I'd say it public.
I tend to say that something a providers sells to a third party is public, unless it comes down to dark fiber or wavelength.


More information about the ARIN-PPML mailing list